this post was submitted on 28 Aug 2024
94 points (89.8% liked)

Cybersecurity - Memes

1963 readers
1 users here now

Only the hottest memes in Cybersecurity

founded 1 year ago
MODERATORS
 

Sadly, the support for passkeys is still lacking.

you are viewing a single comment's thread
view the rest of the comments
[–] Diplomjodler3@lemmy.world 36 points 2 months ago (3 children)

I still have no idea how passkeys work. All the explanations I've seen so far were less than helpful.

[–] synapse1278@lemmy.world 24 points 2 months ago (1 children)

As I understand it, instead of the website or online service storing your password (in a, supposedly secured way), with passkey your password manager stores a private key and the online service stores a public key (or rather a lock). The key and the lock are paired together cryptographically (mathematical functions that are non-reversible). Now when you login with passkey, the service sends a challenge generated from the lock, that can be solved only with the matching private key, your password manager solves the challenge and your authenticated. Locks and keys were not exchanged during the process, and services never store your key. Everything happens automagically.

It actually uses the same protocol used is some hardware security keys such as Yubikey and Solokeys. The problem remains the same as with hardware security keys, adoption and support, compatibility. It's very rare that a service supports these options, although they exist for a while.

Anyone feels free to correct me if I wrote something wrong. I am by no mean an expert.

[–] cron 15 points 2 months ago (1 children)

Your explanation is correct.

For me, the critical issue is still compatibility. Not all password managers support passkeys, not many sites support passkeys etc.

[–] synapse1278@lemmy.world 2 points 2 months ago

Yes, I have my Solokey for a while. I can count the compatible services I use on the fingers of one hand. Passkey, as of today, even fewer...

[–] EncryptKeeper@lemmy.world 9 points 2 months ago

The (over?) simplified version is they’re basically the same as the key/certificate pairs you use to connect to a website securely while also proving its identity to you.

Some key benefits of passkeys are:

  • Your private key doesn’t leave your device (or your password manager). You no longer have to worry about if the website you’re using is incompetent and storing your password in plain text waiting to be stolen in a breach. The only one who can expose your passkey is you (or your password manager)
  • Your passkey isn’t something you have to remember so for the unwashed masses it’s more idiot proof because they’re more secure by default
[–] Neon@lemmy.world 3 points 2 months ago

Imagine SSH Key but for Website